Neglect Leads to Risk in an IAM Program
More bad news this week coming out of the SWIFT messaging system hacks. New banks are being targeted and an unspecified number have experienced incidents. In the case of the $81 million dollar Bangladesh Bank breach, the intrusion started with a vulnerable network switch.
The bank used “second-hand networking gear” which led to the compromise. Second-hand anything in your security and networking infrastructure is probably not a great idea and not keeping infrastructure patched is a recipe for trouble.
Maintaining an IAM Infrastructure
Unfortunately, I see companies investing large sums of money to stand up new IAM functions and then forget to leave time in their IAM program to maintain their IAM infrastructure and related software.
They get so focused on delivering new features, system connections, mitigating audit points, and other tasks that they never get around to keeping their IAM platform up-to-date.
Years of neglect go by which makes it that much more expensive to maintain. Next thing you know, your IAM system “doesn’t work right” and you start shopping around for a replacement because it is deemed too expensive to fix.
That expensive cycle then repeats itself in 5-10 years because the IAM program did not appropriately account for maintenance of their services. If you drive a car without getting an oil change every so often, you are going to have a bad time. IAM platforms are no different.
“Attackers unknown are now plundering other banks by exploiting neglected local information security infrastructure.”
-Darren Pauli, The Register
Examine Your IAM Program
Take a look at your IAM program. Do you have a routine patching cycle for your OS and your IAM software? If not, you are potentially introducing another risk point for your organization. IAM vendors routinely release patches and to not take advantage of that to reduce your risk is just asking for trouble.
Software vendors also routinely update their software to add new features. Keep your systems up-to-date and gain security and functionality benefits?
Sounds like a win-win (and no-brainer) to me, especially since you are most likely already paying for the updates via your software maintenance contract. Don’t leave money on the table and keep your IAM platform updated!